Importing Client Authentication Certificates into IIS 4.0 (221549)

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

Microsoft Internet Information Server (IIS) 4.0 performs certificate mapping through two means-either by setting certificate content rules or using the actual certificate itself. Unfortunately, certificates may be encoded in many ways, and the certificate mapper in IIS 4.0 only reads one format, which is Base64 encoded X.509. This is the format that Certificate Server 1.0 produces by default. You can export this format from Internet Explorer 5.0.

MORE INFORMATION

To export a client authentication certificate from Internet Explorer 5.0, perform the following steps from the browser:

Click Tools.
Click Internet Options.
Click the Content tab.
Click the Certificates button.
Select the certificate that you want to export, and then click Export.
Click Next.
Do not export the private key.
Select Base64 encoded X.509 (.CER).
Enter a file name.
Click Next.
Click Finish.

To import this into Internet Information Server 4.0, perform the following steps (this is assuming you have SSL installed):

Righ-click on the Web location where you want to use client authentication certificates.
Select the Directory Security tab.
Click the Edit button in the Secure Communications frame.
Make sure Require Secure Channel, Require Client Certificates, and Client Certificate Mapping are checked.
Select Add.
Click the certificate you exported.
Enter the mapping and user account information.

Now, whenever a client uses that certificate to access a secured resource in IIS 4.0, the Web server will automatically log the user account on what was entered in the mapping dialog box.